<?php
	header("Access-Control-Allow-Origin: *");  // allow loading from other domains
	include 'config.php';

	// Get the list of routes
	$routeids = explode(",", $_GET["routeids"]);
	
	if (count($routeids) > 0)
	{
		// VULNERABLE TO SQL INJECTION ATTACKS.
		$num = count($routeids);
		$sql = "SELECT s.runid, s.display_name, s.latitude, s.longitude, s.id as stopid, r.direction_name FROM Stops s JOIN Runs r on s.runid = r.id WHERE ";
		for ($i = 0; $i < $num; $i+=1)
		{
			$sql .= "s.routeid = '" . $routeids[$i] . "'";
			if ($i < ($num - 1))
				$sql .= " OR ";
		}

		try {
			$dbh = new PDO("mysql:host=$dbhost;dbname=$dbname", $dbuser, $dbpass);	
			// throw an exception if something goes wrong (see catch block below)
			$dbh->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
			// create a SQL statement
			$stmt = $dbh->query($sql);  

			$runs = $stmt->fetchAll(PDO::FETCH_OBJ);
			// close database connection by destroying the object that ref's it
			$dbh = null;

			echo '{"items":'. json_encode($runs) .'}'; 
		} catch(PDOException $e) {
			echo '{"error":{"text":'. $e->getMessage() .'}}'; 
		}
	}
	else
	{
		echo '{"items":[]}';
	}
?>

